Xen project Mailing List

[Xen-changelog] [xen-unstable] Cleanups after XSM checkin.

From: Xen patchbot-unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>

Date: Fri, 07 Sep 2007 09:13:42 -0700

Delivery-date: Fri, 07 Sep 2007 09:21:22 -0700

List-id: BK change log <xen-changelog.lists.xensource.com>

# HG changeset patch # User kfraser@xxxxxxxxxxxxxxxxxxxxx # Date 1188558307 -3600 # Node ID 7e7e0ea6a0bbc093461f199947d6c99eaae01eba # Parent fa4d44c9d9f668867f6cb578155433678f6c5a93 Cleanups after XSM checkin. Signed-off-by: Keir Fraser <keir@xxxxxxxxxxxxx> --- xen/include/acm/acm_core.h | 196 ------------- xen/include/acm/acm_endian.h | 69 ---- xen/include/acm/acm_hooks.h | 349 ------------------------ xen/include/public/acm.h | 229 --------------- xen/include/public/acm_ops.h | 159 ---------- .hgignore | 1 Config.mk | 12 tools/Rules.mk | 2 tools/libxc/xenctrl.h | 4 tools/python/xen/lowlevel/acm/acm.c | 5 tools/security/secpol_tool.c | 4 tools/security/secpol_xml2bin.c | 3 xen/Rules.mk | 8 xen/arch/ia64/xen/xensetup.c | 2 xen/arch/powerpc/setup.c | 2 xen/arch/x86/setup.c | 2 xen/include/public/xsm/acm.h | 229 +++++++++++++++ xen/include/public/xsm/acm_ops.h | 159 ++++++++++ xen/include/xen/sched.h | 5 xen/include/xsm/acm/acm_core.h | 196 +++++++++++++ xen/include/xsm/acm/acm_endian.h | 69 ++++ xen/include/xsm/acm/acm_hooks.h | 349 ++++++++++++++++++++++++ xen/xsm/acm/acm_chinesewall_hooks.c | 9 xen/xsm/acm/acm_core.c | 10 xen/xsm/acm/acm_null_hooks.c | 2 xen/xsm/acm/acm_ops.c | 6 xen/xsm/acm/acm_policy.c | 8 xen/xsm/acm/acm_simple_type_enforcement_hooks.c | 6 xen/xsm/acm/acm_xsm_hooks.c | 20 - 29 files changed, 1056 insertions(+), 1059 deletions(-) diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb .hgignore --- a/.hgignore Fri Aug 31 11:41:49 2007 +0100 +++ b/.hgignore Fri Aug 31 12:05:07 2007 +0100 @@ -151,6 +151,7 @@ ^tools/python/build/.*$ ^tools/security/secpol_tool$ ^tools/security/xen/.*$ +^tools/security/xensec_tool$ ^tools/tests/blowfish\.bin$ ^tools/tests/blowfish\.h$ ^tools/tests/test_x86_emulator$ diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb Config.mk --- a/Config.mk Fri Aug 31 11:41:49 2007 +0100 +++ b/Config.mk Fri Aug 31 12:05:07 2007 +0100 @@ -79,19 +79,9 @@ CFLAGS += $(foreach i, $(EXTRA_INCLUDES) CFLAGS += $(foreach i, $(EXTRA_INCLUDES), -I$(i)) # Enable XSM security module. Enabling XSM requires selection of an -# XSM security module. +# XSM security module (FLASK_ENABLE or ACM_SECURITY). XSM_ENABLE ?= n -ifeq ($(XSM_ENABLE),y) FLASK_ENABLE ?= n -ifeq ($(FLASK_ENABLE),y) -FLASK_DEVELOP ?= y -FLASK_BOOTPARAM ?= y -FLASK_AVC_STATS ?= y -endif -endif - -# If ACM_SECURITY = y, then the access control module is compiled -# into Xen and the policy type can be set by the boot policy file ACM_SECURITY ?= n # Optional components diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb tools/Rules.mk --- a/tools/Rules.mk Fri Aug 31 11:41:49 2007 +0100 +++ b/tools/Rules.mk Fri Aug 31 12:05:07 2007 +0100 @@ -49,6 +49,8 @@ mk-symlinks: ( cd xen/hvm && ln -sf ../../$(XEN_ROOT)/xen/include/public/hvm/*.h . ) mkdir -p xen/io ( cd xen/io && ln -sf ../../$(XEN_ROOT)/xen/include/public/io/*.h . ) + mkdir -p xen/xsm + ( cd xen/xsm && ln -sf ../../$(XEN_ROOT)/xen/include/public/xsm/*.h . ) mkdir -p xen/arch-x86 ( cd xen/arch-x86 && ln -sf ../../$(XEN_ROOT)/xen/include/public/arch-x86/*.h . ) mkdir -p xen/foreign diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb tools/libxc/xenctrl.h --- a/tools/libxc/xenctrl.h Fri Aug 31 11:41:49 2007 +0100 +++ b/tools/libxc/xenctrl.h Fri Aug 31 12:05:07 2007 +0100 @@ -26,8 +26,8 @@ #include <xen/event_channel.h> #include <xen/sched.h> #include <xen/memory.h> -#include <xen/acm.h> -#include <xen/acm_ops.h> +#include <xen/xsm/acm.h> +#include <xen/xsm/acm_ops.h> #ifdef __ia64__ #define XC_PAGE_SHIFT 14 diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb tools/python/xen/lowlevel/acm/acm.c --- a/tools/python/xen/lowlevel/acm/acm.c Fri Aug 31 11:41:49 2007 +0100 +++ b/tools/python/xen/lowlevel/acm/acm.c Fri Aug 31 12:05:07 2007 +0100 @@ -18,6 +18,7 @@ * * indent -i4 -kr -nut */ + #include <Python.h> #include <stdio.h> @@ -27,8 +28,8 @@ #include <stdlib.h> #include <sys/ioctl.h> #include <netinet/in.h> -#include <xen/acm.h> -#include <xen/acm_ops.h> +#include <xen/xsm/acm.h> +#include <xen/xsm/acm_ops.h> #include <xenctrl.h> diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb tools/security/secpol_tool.c --- a/tools/security/secpol_tool.c Fri Aug 31 11:41:49 2007 +0100 +++ b/tools/security/secpol_tool.c Fri Aug 31 12:05:07 2007 +0100 @@ -34,8 +34,8 @@ #include <string.h> #include <netinet/in.h> #include <stdint.h> -#include <xen/acm.h> -#include <xen/acm_ops.h> +#include <xen/xsm/acm.h> +#include <xen/xsm/acm_ops.h> #include <xenctrl.h> diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb tools/security/secpol_xml2bin.c --- a/tools/security/secpol_xml2bin.c Fri Aug 31 11:41:49 2007 +0100 +++ b/tools/security/secpol_xml2bin.c Fri Aug 31 12:05:07 2007 +0100 @@ -22,6 +22,7 @@ * * indent -i4 -kr -nut */ + #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -38,7 +39,7 @@ #include <libxml/tree.h> #include <libxml/xmlreader.h> #include <stdint.h> -#include <xen/acm.h> +#include <xen/xsm/acm.h> #include "secpol_xml2bin.h" diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/Rules.mk --- a/xen/Rules.mk Fri Aug 31 11:41:49 2007 +0100 +++ b/xen/Rules.mk Fri Aug 31 12:05:07 2007 +0100 @@ -57,11 +57,9 @@ ALL_OBJS-y += $(BASEDIR)/a CFLAGS-y += -g -D__XEN__ CFLAGS-$(XSM_ENABLE) += -DXSM_ENABLE -CFLAGS-$(FLASK_ENABLE) += -DFLASK_ENABLE -DXSM_MAGIC=0xf97cff8c -CFLAGS-$(FLASK_DEVELOP) += -DFLASK_DEVELOP -CFLAGS-$(FLASK_BOOTPARAM) += -DFLASK_BOOTPARAM -CFLAGS-$(FLASK_AVC_STATS) += -DFLASK_AVC_STATS -CFLAGS-$(ACM_SECURITY) += -DACM_SECURITY -DXSM_MAGIC=0xbcde0100 +CFLAGS-$(FLASK_ENABLE) += -DFLASK_ENABLE -DXSM_MAGIC=0xf97cff8c +CFLAGS-$(FLASK_ENABLE) += -DFLASK_DEVELOP -DFLASK_BOOTPARAM -DFLASK_AVC_STATS +CFLAGS-$(ACM_SECURITY) += -DACM_SECURITY -DXSM_MAGIC=0xbcde0100 CFLAGS-$(verbose) += -DVERBOSE CFLAGS-$(crash_debug) += -DCRASH_DEBUG CFLAGS-$(perfc) += -DPERF_COUNTERS diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/arch/ia64/xen/xensetup.c --- a/xen/arch/ia64/xen/xensetup.c Fri Aug 31 11:41:49 2007 +0100 +++ b/xen/arch/ia64/xen/xensetup.c Fri Aug 31 12:05:07 2007 +0100 @@ -28,7 +28,7 @@ #include <asm/iosapic.h> #include <xen/softirq.h> #include <xen/rcupdate.h> -#include <acm/acm_hooks.h> +#include <xsm/acm/acm_hooks.h> #include <asm/sn/simulator.h> unsigned long xenheap_phys_end, total_pages; diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/arch/powerpc/setup.c --- a/xen/arch/powerpc/setup.c Fri Aug 31 11:41:49 2007 +0100 +++ b/xen/arch/powerpc/setup.c Fri Aug 31 12:05:07 2007 +0100 @@ -38,7 +38,7 @@ #include <xen/numa.h> #include <xen/rcupdate.h> #include <xen/version.h> -#include <acm/acm_hooks.h> +#include <xsm/acm/acm_hooks.h> #include <public/version.h> #include <asm/mpic.h> #include <asm/processor.h> diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/arch/x86/setup.c --- a/xen/arch/x86/setup.c Fri Aug 31 11:41:49 2007 +0100 +++ b/xen/arch/x86/setup.c Fri Aug 31 12:05:07 2007 +0100 @@ -32,7 +32,7 @@ #include <asm/desc.h> #include <asm/paging.h> #include <asm/e820.h> -#include <acm/acm_hooks.h> +#include <xsm/acm/acm_hooks.h> #include <xen/kexec.h> #include <asm/edd.h> #include <xsm/xsm.h> diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/include/acm/acm_core.h --- a/xen/include/acm/acm_core.h Fri Aug 31 11:41:49 2007 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,196 +0,0 @@ -/**************************************************************** - * acm_core.h - * - * Copyright (C) 2005 IBM Corporation - * - * Author: - * Reiner Sailer <sailer@xxxxxxxxxxxxxx> - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License as - * published by the Free Software Foundation, version 2 of the - * License. - * - * sHype header file describing core data types and constants - * for the access control module and relevant policies - * - */ - -#ifndef _ACM_CORE_H -#define _ACM_CORE_H - -#include <xen/spinlock.h> -#include <xen/list.h> -#include <public/acm.h> -#include <public/acm_ops.h> -#include <acm/acm_endian.h> - -#define ACM_DEFAULT_SECURITY_POLICY \ - ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY - -/* Xen-internal representation of the binary policy */ -struct acm_binary_policy { - char *policy_reference_name; - u16 primary_policy_code; - u16 secondary_policy_code; - struct acm_policy_version xml_pol_version; -}; - -struct chwall_binary_policy { - u32 max_types; - u32 max_ssidrefs; - u32 max_conflictsets; - domaintype_t *ssidrefs; /* [max_ssidrefs][max_types] */ - domaintype_t *conflict_aggregate_set; /* [max_types] */ - domaintype_t *running_types; /* [max_types] */ - domaintype_t *conflict_sets; /* [max_conflictsets][max_types]*/ -}; - -struct ste_binary_policy { - u32 max_types; - u32 max_ssidrefs; - domaintype_t *ssidrefs; /* [max_ssidrefs][max_types] */ - atomic_t ec_eval_count, gt_eval_count; - atomic_t ec_denied_count, gt_denied_count; - atomic_t ec_cachehit_count, gt_cachehit_count; -}; - -/* global acm policy */ -extern u16 acm_active_security_policy; -extern struct acm_binary_policy acm_bin_pol; -extern struct chwall_binary_policy chwall_bin_pol; -extern struct ste_binary_policy ste_bin_pol; -/* use the lock when reading / changing binary policy ! */ -extern rwlock_t acm_bin_pol_rwlock; -extern rwlock_t ssid_list_rwlock; - -/* subject and object type definitions */ -#define ACM_DATATYPE_domain 1 - -/* defines number of access decisions to other domains can be cached - * one entry per domain, TE does not distinguish evtchn or grant_table */ -#define ACM_TE_CACHE_SIZE 8 -#define ACM_STE_valid 0 -#define ACM_STE_free 1 - -/* cache line: - * if cache_line.valid==ACM_STE_valid, then - * STE decision is cached as "permitted" - * on domain cache_line.id - */ -struct acm_ste_cache_line { - int valid; /* ACM_STE_* */ - domid_t id; -}; - -/* general definition of a subject security id */ -struct acm_ssid_domain { - struct list_head node; /* all are chained together */ - int datatype; /* type of subject (e.g., partition): ACM_DATATYPE_* */ - ssidref_t ssidref; /* combined security reference */ - ssidref_t old_ssidref; /* holds previous value of ssidref during relabeling */ - void *primary_ssid; /* primary policy ssid part (e.g. chinese wall) */ - void *secondary_ssid; /* secondary policy ssid part (e.g. type enforcement) */ - struct domain *subject;/* backpointer to subject structure */ - domid_t domainid; /* replicate id */ -}; - -/* chinese wall ssid type */ -struct chwall_ssid { - ssidref_t chwall_ssidref; -}; - -/* simple type enforcement ssid type */ -struct ste_ssid { - ssidref_t ste_ssidref; - struct acm_ste_cache_line ste_cache[ACM_TE_CACHE_SIZE]; /* decision cache */ -}; - -/* macros to access ssidref for primary / secondary policy - * primary ssidref = lower 16 bit - * secondary ssidref = higher 16 bit - */ -#define ACM_PRIMARY(ssidref) \ - ((ssidref) & 0xffff) - -#define ACM_SECONDARY(ssidref) \ - ((ssidref) >> 16) - -#define GET_SSIDREF(POLICY, ssidref) \ - ((POLICY) == acm_bin_pol.primary_policy_code) ? \ - ACM_PRIMARY(ssidref) : ACM_SECONDARY(ssidref) - -/* macros to access ssid pointer for primary / secondary policy */ -#define GET_SSIDP(POLICY, ssid) \ - ((POLICY) == acm_bin_pol.primary_policy_code) ? \ - ((ssid)->primary_ssid) : ((ssid)->secondary_ssid) - -#define ACM_INVALID_SSIDREF (0xffffffff) - -struct acm_sized_buffer -{ - uint32_t *array; - uint num_items; - uint position; -}; - -static inline int acm_array_append_tuple(struct acm_sized_buffer *buf, - uint32_t a, uint32_t b) -{ - uint i; - if (buf == NULL) - return 0; - - i = buf->position; - - if ((i + 2) > buf->num_items) - return 0; - - buf->array[i] = cpu_to_be32(a); - buf->array[i+1] = cpu_to_be32(b); - buf->position += 2; - return 1; -} - -/* protos */ -int acm_init_domain_ssid(struct domain *, ssidref_t ssidref); -void acm_free_domain_ssid(struct acm_ssid_domain *ssid); -int acm_init_binary_policy(u32 policy_code); -int acm_set_policy(XEN_GUEST_HANDLE_64(void) buf, u32 buf_size); -int do_acm_set_policy(void *buf, u32 buf_size, int is_bootpolicy, - struct acm_sized_buffer *, struct acm_sized_buffer *, - struct acm_sized_buffer *); -int acm_get_policy(XEN_GUEST_HANDLE_64(void) buf, u32 buf_size); -int acm_dump_statistics(XEN_GUEST_HANDLE_64(void) buf, u16 buf_size); -int acm_get_ssid(ssidref_t ssidref, XEN_GUEST_HANDLE_64(void) buf, u16 buf_size); -int acm_get_decision(ssidref_t ssidref1, ssidref_t ssidref2, u32 hook); -int acm_set_policy_reference(u8 * buf, u32 buf_size); -int acm_dump_policy_reference(u8 *buf, u32 buf_size); -int acm_change_policy(struct acm_change_policy *); -int acm_relabel_domains(struct acm_relabel_doms *); -int do_chwall_init_state_curr(struct acm_sized_buffer *); -int do_ste_init_state_curr(struct acm_sized_buffer *); - -/* variables */ -extern ssidref_t dom0_chwall_ssidref; -extern ssidref_t dom0_ste_ssidref; -#define ACM_MAX_NUM_TYPES (256) - -/* traversing the list of ssids */ -extern struct list_head ssid_list; -#define for_each_acmssid( N ) \ - for ( N = (struct acm_ssid_domain *)ssid_list.next; \ - N != (struct acm_ssid_domain *)&ssid_list; \ - N = (struct acm_ssid_domain *)N->node.next ) - -#endif - -/* - * Local variables: - * mode: C - * c-set-style: "BSD" - * c-basic-offset: 4 - * tab-width: 4 - * indent-tabs-mode: nil - * End: - */ diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/include/acm/acm_endian.h --- a/xen/include/acm/acm_endian.h Fri Aug 31 11:41:49 2007 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,69 +0,0 @@ -/**************************************************************** - * acm_endian.h - * - * Copyright (C) 2005 IBM Corporation - * - * Author: - * Stefan Berger <stefanb@xxxxxxxxxxxxxx> - * - * Contributions: - * Reiner Sailer <sailer@xxxxxxxxxxxxxx> - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License as - * published by the Free Software Foundation, version 2 of the - * License. - * - * sHype header file defining endian-dependent functions for the - * big-endian policy interface - * - */ - -#ifndef _ACM_ENDIAN_H -#define _ACM_ENDIAN_H - -#include <asm/byteorder.h> - -static inline void arrcpy16(u16 *dest, const u16 *src, size_t n) -{ - unsigned int i; - for ( i = 0; i < n; i++ ) - dest[i] = cpu_to_be16(src[i]); -} - -static inline void arrcpy32(u32 *dest, const u32 *src, size_t n) -{ - unsigned int i; - for ( i = 0; i < n; i++ ) - dest[i] = cpu_to_be32(src[i]); -} - -static inline void arrcpy( - void *dest, const void *src, unsigned int elsize, size_t n) -{ - switch ( elsize ) - { - case sizeof(u16): - arrcpy16((u16 *)dest, (u16 *)src, n); - break; - - case sizeof(u32): - arrcpy32((u32 *)dest, (u32 *)src, n); - break; - - default: - memcpy(dest, src, elsize*n); - } -} - -#endif - -/* - * Local variables: - * mode: C - * c-set-style: "BSD" - * c-basic-offset: 4 - * tab-width: 4 - * indent-tabs-mode: nil - * End: - */ diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/include/acm/acm_hooks.h --- a/xen/include/acm/acm_hooks.h Fri Aug 31 11:41:49 2007 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,349 +0,0 @@ -/**************************************************************** - * acm_hooks.h - * - * Copyright (C) 2005 IBM Corporation - * - * Author: - * Reiner Sailer <sailer@xxxxxxxxxxxxxx> - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License as - * published by the Free Software Foundation, version 2 of the - * License. - * - * acm header file implementing the global (policy-independent) - * sHype hooks that are called throughout Xen. - * - */ - -#ifndef _ACM_HOOKS_H -#define _ACM_HOOKS_H - -#include <xen/config.h> -#include <xen/errno.h> -#include <xen/types.h> -#include <xen/lib.h> -#include <xen/delay.h> -#include <xen/sched.h> -#include <xen/multiboot.h> -#include <public/acm.h> -#include <acm/acm_core.h> -#include <public/domctl.h> -#include <public/event_channel.h> -#include <asm/current.h> - -/* - * HOOK structure and meaning (justifies a few words about our model): - * - * General idea: every policy-controlled system operation is reflected in a - * transaction in the system's security state - * - * Keeping the security state consistent requires "atomic" transactions. - * The name of the hooks to place around policy-controlled transactions - * reflects this. If authorizations do not involve security state changes, - * then and only then POST and FAIL hooks remain empty since we don't care - * about the eventual outcome of the operation from a security viewpoint. - * - * PURPOSE of hook types: - * ====================== - * PRE-Hooks - * a) general authorization to guard a controlled system operation - * b) prepare security state change - * (means: fail hook must be able to "undo" this) - * - * POST-Hooks - * a) commit prepared state change - * - * FAIL-Hooks - * a) roll-back prepared security state change from PRE-Hook - * - * - * PLACEMENT of hook types: - * ======================== - * PRE-Hooks must be called before a guarded/controlled system operation - * is started. They return ACM_ACCESS_PERMITTED, ACM_ACCESS_DENIED or - * error. Operation must be aborted if return is not ACM_ACCESS_PERMITTED. - * - * POST-Hooks must be called after a successful system operation. - * There is no return value: commit never fails. - * - * FAIL-Hooks must be called: - * a) if system transaction (operation) fails after calling the PRE-hook - * b) if another (secondary) policy denies access in its PRE-Hook - * (policy layering is useful but requires additional handling) - * - * Hook model from a security transaction viewpoint: - * start-sys-ops--> prepare ----succeed-----> commit --> sys-ops success - * (pre-hook) \ (post-hook) - * \ - * fail - * \ - * \ - * roll-back - * (fail-hook) - * \ - * sys-ops error - * - */ - -struct acm_operations { - /* policy management functions (must always be defined!) */ - int (*init_domain_ssid) (void **ssid, ssidref_t ssidref); - void (*free_domain_ssid) (void *ssid); - int (*dump_binary_policy) (u8 *buffer, u32 buf_size); - int (*test_binary_policy) (u8 *buffer, u32 buf_size, - int is_bootpolicy, - struct acm_sized_buffer *); - int (*set_binary_policy) (u8 *buffer, u32 buf_size); - int (*dump_statistics) (u8 *buffer, u16 buf_size); - int (*dump_ssid_types) (ssidref_t ssidref, u8 *buffer, u16 buf_size); - /* domain management control hooks (can be NULL) */ - int (*domain_create) (void *subject_ssid, ssidref_t ssidref, - domid_t domid); - void (*domain_destroy) (void *object_ssid, struct domain *d); - /* event channel control hooks (can be NULL) */ - int (*pre_eventchannel_unbound) (domid_t id1, domid_t id2); - void (*fail_eventchannel_unbound) (domid_t id1, domid_t id2); - int (*pre_eventchannel_interdomain) (domid_t id); - void (*fail_eventchannel_interdomain) (domid_t id); - /* grant table control hooks (can be NULL) */ - int (*pre_grant_map_ref) (domid_t id); - void (*fail_grant_map_ref) (domid_t id); - int (*pre_grant_setup) (domid_t id); - void (*fail_grant_setup) (domid_t id); - /* generic domain-requested decision hooks (can be NULL) */ - int (*sharing) (ssidref_t ssidref1, - ssidref_t ssidref2); - int (*authorization) (ssidref_t ssidref1, - ssidref_t ssidref2); - /* determine whether the default policy is installed */ - int (*is_default_policy) (void); -}; - -/* global variables */ -extern struct acm_operations *acm_primary_ops; -extern struct acm_operations *acm_secondary_ops; - -/* if ACM_TRACE_MODE defined, all hooks should - * print a short trace message */ -/* #define ACM_TRACE_MODE */ - -#ifdef ACM_TRACE_MODE -# define traceprintk(fmt, args...) printk(fmt,## args) -#else -# define traceprintk(fmt, args...) -#endif - - -#ifndef ACM_SECURITY - -static inline int acm_pre_eventchannel_unbound(domid_t id1, domid_t id2) -{ return 0; } -static inline int acm_pre_eventchannel_interdomain(domid_t id) -{ return 0; } -static inline int acm_pre_grant_map_ref(domid_t id) -{ return 0; } -static inline int acm_pre_grant_setup(domid_t id) -{ return 0; } -static inline int acm_is_policy(char *buf, unsigned long len) -{ return 0; } -static inline int acm_sharing(ssidref_t ssidref1, ssidref_t ssidref2) -{ return 0; } -static inline int acm_authorization(ssidref_t ssidref1, ssidref_t ssidref2) -{ return 0; } -static inline int acm_domain_create(struct domain *d, ssidref_t ssidref) -{ return 0; } -static inline void acm_domain_destroy(struct domain *d) -{ return; } - -#define DOM0_SSIDREF 0x0 - -#else - -static inline void acm_domain_ssid_onto_list(struct acm_ssid_domain *ssid) -{ - write_lock(&ssid_list_rwlock); - list_add(&ssid->node, &ssid_list); - write_unlock(&ssid_list_rwlock); -} - -static inline void acm_domain_ssid_off_list(struct acm_ssid_domain *ssid) -{ - write_lock(&ssid_list_rwlock); - list_del(&ssid->node); - write_unlock(&ssid_list_rwlock); -} - -static inline int acm_pre_eventchannel_unbound(domid_t id1, domid_t id2) -{ - if ((acm_primary_ops->pre_eventchannel_unbound != NULL) && - acm_primary_ops->pre_eventchannel_unbound(id1, id2)) - return ACM_ACCESS_DENIED; - else if ((acm_secondary_ops->pre_eventchannel_unbound != NULL) && - acm_secondary_ops->pre_eventchannel_unbound(id1, id2)) { - /* roll-back primary */ - if (acm_primary_ops->fail_eventchannel_unbound != NULL) - acm_primary_ops->fail_eventchannel_unbound(id1, id2); - return ACM_ACCESS_DENIED; - } else - return ACM_ACCESS_PERMITTED; -} - -static inline int acm_pre_eventchannel_interdomain(domid_t id) -{ - if ((acm_primary_ops->pre_eventchannel_interdomain != NULL) && - acm_primary_ops->pre_eventchannel_interdomain(id)) - return ACM_ACCESS_DENIED; - else if ((acm_secondary_ops->pre_eventchannel_interdomain != NULL) && - acm_secondary_ops->pre_eventchannel_interdomain(id)) { - /* roll-back primary */ - if (acm_primary_ops->fail_eventchannel_interdomain != NULL) - acm_primary_ops->fail_eventchannel_interdomain(id); - return ACM_ACCESS_DENIED; - } else - return ACM_ACCESS_PERMITTED; -} - - -static inline int acm_pre_grant_map_ref(domid_t id) -{ - if ( (acm_primary_ops->pre_grant_map_ref != NULL) && - acm_primary_ops->pre_grant_map_ref(id) ) - { - return ACM_ACCESS_DENIED; - } - else if ( (acm_secondary_ops->pre_grant_map_ref != NULL) && - acm_secondary_ops->pre_grant_map_ref(id) ) - { - /* roll-back primary */ - if ( acm_primary_ops->fail_grant_map_ref != NULL ) - acm_primary_ops->fail_grant_map_ref(id); - return ACM_ACCESS_DENIED; - } - else - { - return ACM_ACCESS_PERMITTED; - } -} - -static inline int acm_pre_grant_setup(domid_t id) -{ - if ( (acm_primary_ops->pre_grant_setup != NULL) && - acm_primary_ops->pre_grant_setup(id) ) - { - return ACM_ACCESS_DENIED; - } - else if ( (acm_secondary_ops->pre_grant_setup != NULL) && - acm_secondary_ops->pre_grant_setup(id) ) - { - /* roll-back primary */ - if (acm_primary_ops->fail_grant_setup != NULL) - acm_primary_ops->fail_grant_setup(id); - return ACM_ACCESS_DENIED; - } - else - { - return ACM_ACCESS_PERMITTED; - } -} - - -static inline void acm_domain_destroy(struct domain *d) -{ - void *ssid = d->ssid; - if (ssid != NULL) { - if (acm_primary_ops->domain_destroy != NULL) - acm_primary_ops->domain_destroy(ssid, d); - if (acm_secondary_ops->domain_destroy != NULL) - acm_secondary_ops->domain_destroy(ssid, d); - /* free security ssid for the destroyed domain (also if null policy */ - acm_domain_ssid_off_list(ssid); - acm_free_domain_ssid((struct acm_ssid_domain *)(ssid)); - } -} - - -static inline int acm_domain_create(struct domain *d, ssidref_t ssidref) -{ - void *subject_ssid = current->domain->ssid; - domid_t domid = d->domain_id; - int rc; - - read_lock(&acm_bin_pol_rwlock); - /* - To be called when a domain is created; returns '0' if the - domain is allowed to be created, != '0' if not. - */ - rc = acm_init_domain_ssid(d, ssidref); - if (rc != ACM_OK) - goto error_out; - - if ((acm_primary_ops->domain_create != NULL) && - acm_primary_ops->domain_create(subject_ssid, ssidref, domid)) { - rc = ACM_ACCESS_DENIED; - } else if ((acm_secondary_ops->domain_create != NULL) && - acm_secondary_ops->domain_create(subject_ssid, ssidref, - domid)) { - /* roll-back primary */ - if (acm_primary_ops->domain_destroy != NULL) - acm_primary_ops->domain_destroy(d->ssid, d); - rc = ACM_ACCESS_DENIED; - } - - if ( rc == ACM_OK ) - { - acm_domain_ssid_onto_list(d->ssid); - } else { - acm_free_domain_ssid(d->ssid); - } - -error_out: - read_unlock(&acm_bin_pol_rwlock); - return rc; -} - - -static inline int acm_sharing(ssidref_t ssidref1, ssidref_t ssidref2) -{ - if ((acm_primary_ops->sharing != NULL) && - acm_primary_ops->sharing(ssidref1, ssidref2)) - return ACM_ACCESS_DENIED; - else if ((acm_secondary_ops->sharing != NULL) && - acm_secondary_ops->sharing(ssidref1, ssidref2)) { - return ACM_ACCESS_DENIED; - } else - return ACM_ACCESS_PERMITTED; -} - - -static inline int acm_authorization(ssidref_t ssidref1, ssidref_t ssidref2) -{ - if ((acm_primary_ops->authorization != NULL) && - acm_primary_ops->authorization(ssidref1, ssidref2)) - return ACM_ACCESS_DENIED; - else if ((acm_secondary_ops->authorization != NULL) && - acm_secondary_ops->authorization(ssidref1, ssidref2)) { - return ACM_ACCESS_DENIED; - } else - return ACM_ACCESS_PERMITTED; -} - - -/* Return true iff buffer has an acm policy magic number. */ -extern int acm_is_policy(char *buf, unsigned long len); - -#define DOM0_SSIDREF (dom0_ste_ssidref << 16 | dom0_chwall_ssidref) - -#endif - -#endif - -/* - * Local variables: - * mode: C - * c-set-style: "BSD" - * c-basic-offset: 4 - * tab-width: 4 - * indent-tabs-mode: nil - * End: - */ diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/include/public/acm.h --- a/xen/include/public/acm.h Fri Aug 31 11:41:49 2007 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,229 +0,0 @@ -/* - * acm.h: Xen access control module interface defintions - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to - * deal in the Software without restriction, including without limitation the - * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or - * sell copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in - * all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - * - * Reiner Sailer <sailer@xxxxxxxxxxxxxx> - * Copyright (c) 2005, International Business Machines Corporation. - */ - -#ifndef _XEN_PUBLIC_ACM_H -#define _XEN_PUBLIC_ACM_H - -#include "xen.h" - -/* if ACM_DEBUG defined, all hooks should - * print a short trace message (comment it out - * when not in testing mode ) - */ -/* #define ACM_DEBUG */ - -#ifdef ACM_DEBUG -# define printkd(fmt, args...) printk(fmt,## args) -#else -# define printkd(fmt, args...) -#endif - -/* default ssid reference value if not supplied */ -#define ACM_DEFAULT_SSID 0x0 -#define ACM_DEFAULT_LOCAL_SSID 0x0 - -/* Internal ACM ERROR types */ -#define ACM_OK 0 -#define ACM_UNDEF -1 -#define ACM_INIT_SSID_ERROR -2 -#define ACM_INIT_SOID_ERROR -3 -#define ACM_ERROR -4 - -/* External ACCESS DECISIONS */ -#define ACM_ACCESS_PERMITTED 0 -#define ACM_ACCESS_DENIED -111 -#define ACM_NULL_POINTER_ERROR -200 - -/* - Error codes reported in when trying to test for a new policy - These error codes are reported in an array of tuples where - each error code is followed by a parameter describing the error - more closely, such as a domain id. -*/ -#define ACM_EVTCHN_SHARING_VIOLATION 0x100 -#define ACM_GNTTAB_SHARING_VIOLATION 0x101 -#define ACM_DOMAIN_LOOKUP 0x102 -#define ACM_CHWALL_CONFLICT 0x103 -#define ACM_SSIDREF_IN_USE 0x104 - - -/* primary policy in lower 4 bits */ -#define ACM_NULL_POLICY 0 -#define ACM_CHINESE_WALL_POLICY 1 -#define ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY 2 -#define ACM_POLICY_UNDEFINED 15 - -/* combinations have secondary policy component in higher 4bit */ -#define ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY \ - ((ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY << 4) | ACM_CHINESE_WALL_POLICY) - -/* policy: */ -#define ACM_POLICY_NAME(X) \ - ((X) == (ACM_NULL_POLICY)) ? "NULL" : \ - ((X) == (ACM_CHINESE_WALL_POLICY)) ? "CHINESE WALL" : \ - ((X) == (ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY)) ? "SIMPLE TYPE ENFORCEMENT" : \ - ((X) == (ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY)) ? "CHINESE WALL AND SIMPLE TYPE ENFORCEMENT" : \ - "UNDEFINED" - -/* the following policy versions must be increased - * whenever the interpretation of the related - * policy's data structure changes - */ -#define ACM_POLICY_VERSION 3 -#define ACM_CHWALL_VERSION 1 -#define ACM_STE_VERSION 1 - -/* defines a ssid reference used by xen */ -typedef uint32_t ssidref_t; - -/* hooks that are known to domains */ -#define ACMHOOK_none 0 -#define ACMHOOK_sharing 1 -#define ACMHOOK_authorization 2 - -/* -------security policy relevant type definitions-------- */ - -/* type identifier; compares to "equal" or "not equal" */ -typedef uint16_t domaintype_t; - -/* CHINESE WALL POLICY DATA STRUCTURES - * - * current accumulated conflict type set: - * When a domain is started and has a type that is in - * a conflict set, the conflicting types are incremented in - * the aggregate set. When a domain is destroyed, the - * conflicting types to its type are decremented. - * If a domain has multiple types, this procedure works over - * all those types. - * - * conflict_aggregate_set[i] holds the number of - * running domains that have a conflict with type i. - * - * running_types[i] holds the number of running domains - * that include type i in their ssidref-referenced type set - * - * conflict_sets[i][j] is "0" if type j has no conflict - * with type i and is "1" otherwise. - */ -/* high-16 = version, low-16 = check magic */ -#define ACM_MAGIC 0x0001debc - -/* each offset in bytes from start of the struct they - * are part of */ - -/* V3 of the policy buffer aded a version structure */ -struct acm_policy_version -{ - uint32_t major; - uint32_t minor; -}; - - -/* each buffer consists of all policy information for - * the respective policy given in the policy code - * - * acm_policy_buffer, acm_chwall_policy_buffer, - * and acm_ste_policy_buffer need to stay 32-bit aligned - * because we create binary policies also with external - * tools that assume packed representations (e.g. the java tool) - */ -struct acm_policy_buffer { - uint32_t magic; - uint32_t policy_version; /* ACM_POLICY_VERSION */ - uint32_t len; - uint32_t policy_reference_offset; - uint32_t primary_policy_code; - uint32_t primary_buffer_offset; - uint32_t secondary_policy_code; - uint32_t secondary_buffer_offset; - struct acm_policy_version xml_pol_version; /* add in V3 */ -}; - - -struct acm_policy_reference_buffer { - uint32_t len; -}; - -struct acm_chwall_policy_buffer { - uint32_t policy_version; /* ACM_CHWALL_VERSION */ - uint32_t policy_code; - uint32_t chwall_max_types; - uint32_t chwall_max_ssidrefs; - uint32_t chwall_max_conflictsets; - uint32_t chwall_ssid_offset; - uint32_t chwall_conflict_sets_offset; - uint32_t chwall_running_types_offset; - uint32_t chwall_conflict_aggregate_offset; -}; - -struct acm_ste_policy_buffer { - uint32_t policy_version; /* ACM_STE_VERSION */ - uint32_t policy_code; - uint32_t ste_max_types; - uint32_t ste_max_ssidrefs; - uint32_t ste_ssid_offset; -}; - -struct acm_stats_buffer { - uint32_t magic; - uint32_t len; - uint32_t primary_policy_code; - uint32_t primary_stats_offset; - uint32_t secondary_policy_code; - uint32_t secondary_stats_offset; -}; - -struct acm_ste_stats_buffer { - uint32_t ec_eval_count; - uint32_t gt_eval_count; - uint32_t ec_denied_count; - uint32_t gt_denied_count; - uint32_t ec_cachehit_count; - uint32_t gt_cachehit_count; -}; - -struct acm_ssid_buffer { - uint32_t len; - ssidref_t ssidref; - uint32_t policy_reference_offset; - uint32_t primary_policy_code; - uint32_t primary_max_types; - uint32_t primary_types_offset; - uint32_t secondary_policy_code; - uint32_t secondary_max_types; - uint32_t secondary_types_offset; -}; - -#endif - -/* - * Local variables: - * mode: C - * c-set-style: "BSD" - * c-basic-offset: 4 - * tab-width: 4 - * indent-tabs-mode: nil - * End: - */ diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/include/public/acm_ops.h --- a/xen/include/public/acm_ops.h Fri Aug 31 11:41:49 2007 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,159 +0,0 @@ -/* - * acm_ops.h: Xen access control module hypervisor commands - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to - * deal in the Software without restriction, including without limitation the - * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or - * sell copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in - * all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - * - * Reiner Sailer <sailer@xxxxxxxxxxxxxx> - * Copyright (c) 2005,2006 International Business Machines Corporation. - */ - -#ifndef __XEN_PUBLIC_ACM_OPS_H__ -#define __XEN_PUBLIC_ACM_OPS_H__ - -#include "xen.h" -#include "acm.h" - -/* - * Make sure you increment the interface version whenever you modify this file! - * This makes sure that old versions of acm tools will stop working in a - * well-defined way (rather than crashing the machine, for instance). - */ -#define ACM_INTERFACE_VERSION 0xAAAA000A - -/************************************************************************/ - -/* - * Prototype for this hypercall is: - * int acm_op(int cmd, void *args) - * @cmd == ACMOP_??? (access control module operation). - * @args == Operation-specific extra arguments (NULL if none). - */ - - -#define ACMOP_setpolicy 1 -struct acm_setpolicy { - /* IN */ - XEN_GUEST_HANDLE_64(void) pushcache; - uint32_t pushcache_size; -}; - - -#define ACMOP_getpolicy 2 -struct acm_getpolicy { - /* IN */ - XEN_GUEST_HANDLE_64(void) pullcache; - uint32_t pullcache_size; -}; - - -#define ACMOP_dumpstats 3 -struct acm_dumpstats { - /* IN */ - XEN_GUEST_HANDLE_64(void) pullcache; - uint32_t pullcache_size; -}; - - -#define ACMOP_getssid 4 -#define ACM_GETBY_ssidref 1 -#define ACM_GETBY_domainid 2 -struct acm_getssid { - /* IN */ - uint32_t get_ssid_by; /* ACM_GETBY_* */ - union { - domaintype_t domainid; - ssidref_t ssidref; - } id; - XEN_GUEST_HANDLE_64(void) ssidbuf; - uint32_t ssidbuf_size; -}; - -#define ACMOP_getdecision 5 -struct acm_getdecision { - /* IN */ - uint32_t get_decision_by1; /* ACM_GETBY_* */ - uint32_t get_decision_by2; /* ACM_GETBY_* */ - union { - domaintype_t domainid; - ssidref_t ssidref; - } id1; - union { - domaintype_t domainid; - ssidref_t ssidref; - } id2; - uint32_t hook; - /* OUT */ - uint32_t acm_decision; -}; - - -#define ACMOP_chgpolicy 6 -struct acm_change_policy { - /* IN */ - XEN_GUEST_HANDLE_64(void) policy_pushcache; - uint32_t policy_pushcache_size; - XEN_GUEST_HANDLE_64(void) del_array; - uint32_t delarray_size; - XEN_GUEST_HANDLE_64(void) chg_array; - uint32_t chgarray_size; - /* OUT */ - /* array with error code */ - XEN_GUEST_HANDLE_64(void) err_array; - uint32_t errarray_size; -}; - -#define ACMOP_relabeldoms 7 -struct acm_relabel_doms { - /* IN */ - XEN_GUEST_HANDLE_64(void) relabel_map; - uint32_t relabel_map_size; - /* OUT */ - XEN_GUEST_HANDLE_64(void) err_array; - uint32_t errarray_size; -}; - -/* future interface to Xen */ -struct xen_acmctl { - uint32_t cmd; - uint32_t interface_version; - union { - struct acm_setpolicy setpolicy; - struct acm_getpolicy getpolicy; - struct acm_dumpstats dumpstats; - struct acm_getssid getssid; - struct acm_getdecision getdecision; - struct acm_change_policy change_policy; - struct acm_relabel_doms relabel_doms; - } u; -}; - -typedef struct xen_acmctl xen_acmctl_t; -DEFINE_XEN_GUEST_HANDLE(xen_acmctl_t); - -#endif /* __XEN_PUBLIC_ACM_OPS_H__ */ - -/* - * Local variables: - * mode: C - * c-set-style: "BSD" - * c-basic-offset: 4 - * tab-width: 4 - * indent-tabs-mode: nil - * End: - */ diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/include/public/xsm/acm.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/xen/include/public/xsm/acm.h Fri Aug 31 12:05:07 2007 +0100 @@ -0,0 +1,229 @@ +/* + * acm.h: Xen access control module interface defintions + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to + * deal in the Software without restriction, including without limitation the + * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or + * sell copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + * + * Reiner Sailer <sailer@xxxxxxxxxxxxxx> + * Copyright (c) 2005, International Business Machines Corporation. + */ + +#ifndef _XEN_PUBLIC_ACM_H +#define _XEN_PUBLIC_ACM_H + +#include "../xen.h" + +/* if ACM_DEBUG defined, all hooks should + * print a short trace message (comment it out + * when not in testing mode ) + */ +/* #define ACM_DEBUG */ + +#ifdef ACM_DEBUG +# define printkd(fmt, args...) printk(fmt,## args) +#else +# define printkd(fmt, args...) +#endif + +/* default ssid reference value if not supplied */ +#define ACM_DEFAULT_SSID 0x0 +#define ACM_DEFAULT_LOCAL_SSID 0x0 + +/* Internal ACM ERROR types */ +#define ACM_OK 0 +#define ACM_UNDEF -1 +#define ACM_INIT_SSID_ERROR -2 +#define ACM_INIT_SOID_ERROR -3 +#define ACM_ERROR -4 + +/* External ACCESS DECISIONS */ +#define ACM_ACCESS_PERMITTED 0 +#define ACM_ACCESS_DENIED -111 +#define ACM_NULL_POINTER_ERROR -200 + +/* + Error codes reported in when trying to test for a new policy + These error codes are reported in an array of tuples where + each error code is followed by a parameter describing the error + more closely, such as a domain id. +*/ +#define ACM_EVTCHN_SHARING_VIOLATION 0x100 +#define ACM_GNTTAB_SHARING_VIOLATION 0x101 +#define ACM_DOMAIN_LOOKUP 0x102 +#define ACM_CHWALL_CONFLICT 0x103 +#define ACM_SSIDREF_IN_USE 0x104 + + +/* primary policy in lower 4 bits */ +#define ACM_NULL_POLICY 0 +#define ACM_CHINESE_WALL_POLICY 1 +#define ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY 2 +#define ACM_POLICY_UNDEFINED 15 + +/* combinations have secondary policy component in higher 4bit */ +#define ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY \ + ((ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY << 4) | ACM_CHINESE_WALL_POLICY) + +/* policy: */ +#define ACM_POLICY_NAME(X) \ + ((X) == (ACM_NULL_POLICY)) ? "NULL" : \ + ((X) == (ACM_CHINESE_WALL_POLICY)) ? "CHINESE WALL" : \ + ((X) == (ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY)) ? "SIMPLE TYPE ENFORCEMENT" : \ + ((X) == (ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY)) ? "CHINESE WALL AND SIMPLE TYPE ENFORCEMENT" : \ + "UNDEFINED" + +/* the following policy versions must be increased + * whenever the interpretation of the related + * policy's data structure changes + */ +#define ACM_POLICY_VERSION 3 +#define ACM_CHWALL_VERSION 1 +#define ACM_STE_VERSION 1 + +/* defines a ssid reference used by xen */ +typedef uint32_t ssidref_t; + +/* hooks that are known to domains */ +#define ACMHOOK_none 0 +#define ACMHOOK_sharing 1 +#define ACMHOOK_authorization 2 + +/* -------security policy relevant type definitions-------- */ + +/* type identifier; compares to "equal" or "not equal" */ +typedef uint16_t domaintype_t; + +/* CHINESE WALL POLICY DATA STRUCTURES + * + * current accumulated conflict type set: + * When a domain is started and has a type that is in + * a conflict set, the conflicting types are incremented in + * the aggregate set. When a domain is destroyed, the + * conflicting types to its type are decremented. + * If a domain has multiple types, this procedure works over + * all those types. + * + * conflict_aggregate_set[i] holds the number of + * running domains that have a conflict with type i. + * + * running_types[i] holds the number of running domains + * that include type i in their ssidref-referenced type set + * + * conflict_sets[i][j] is "0" if type j has no conflict + * with type i and is "1" otherwise. + */ +/* high-16 = version, low-16 = check magic */ +#define ACM_MAGIC 0x0001debc + +/* each offset in bytes from start of the struct they + * are part of */ + +/* V3 of the policy buffer aded a version structure */ +struct acm_policy_version +{ + uint32_t major; + uint32_t minor; +}; + + +/* each buffer consists of all policy information for + * the respective policy given in the policy code + * + * acm_policy_buffer, acm_chwall_policy_buffer, + * and acm_ste_policy_buffer need to stay 32-bit aligned + * because we create binary policies also with external + * tools that assume packed representations (e.g. the java tool) + */ +struct acm_policy_buffer { + uint32_t magic; + uint32_t policy_version; /* ACM_POLICY_VERSION */ + uint32_t len; + uint32_t policy_reference_offset; + uint32_t primary_policy_code; + uint32_t primary_buffer_offset; + uint32_t secondary_policy_code; + uint32_t secondary_buffer_offset; + struct acm_policy_version xml_pol_version; /* add in V3 */ +}; + + +struct acm_policy_reference_buffer { + uint32_t len; +}; + +struct acm_chwall_policy_buffer { + uint32_t policy_version; /* ACM_CHWALL_VERSION */ + uint32_t policy_code; + uint32_t chwall_max_types; + uint32_t chwall_max_ssidrefs; + uint32_t chwall_max_conflictsets; + uint32_t chwall_ssid_offset; + uint32_t chwall_conflict_sets_offset; + uint32_t chwall_running_types_offset; + uint32_t chwall_conflict_aggregate_offset; +}; + +struct acm_ste_policy_buffer { + uint32_t policy_version; /* ACM_STE_VERSION */ + uint32_t policy_code; + uint32_t ste_max_types; + uint32_t ste_max_ssidrefs; + uint32_t ste_ssid_offset; +}; + +struct acm_stats_buffer { + uint32_t magic; + uint32_t len; + uint32_t primary_policy_code; + uint32_t primary_stats_offset; + uint32_t secondary_policy_code; + uint32_t secondary_stats_offset; +}; + +struct acm_ste_stats_buffer { + uint32_t ec_eval_count; + uint32_t gt_eval_count; + uint32_t ec_denied_count; + uint32_t gt_denied_count; + uint32_t ec_cachehit_count; + uint32_t gt_cachehit_count; +}; + +struct acm_ssid_buffer { + uint32_t len; + ssidref_t ssidref; + uint32_t policy_reference_offset; + uint32_t primary_policy_code; + uint32_t primary_max_types; + uint32_t primary_types_offset; + uint32_t secondary_policy_code; + uint32_t secondary_max_types; + uint32_t secondary_types_offset; +}; + +#endif + +/* + * Local variables: + * mode: C + * c-set-style: "BSD" + * c-basic-offset: 4 + * tab-width: 4 + * indent-tabs-mode: nil + * End: + */ diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/include/public/xsm/acm_ops.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/xen/include/public/xsm/acm_ops.h Fri Aug 31 12:05:07 2007 +0100 @@ -0,0 +1,159 @@ +/* + * acm_ops.h: Xen access control module hypervisor commands + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to + * deal in the Software without restriction, including without limitation the + * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or + * sell copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + * + * Reiner Sailer <sailer@xxxxxxxxxxxxxx> + * Copyright (c) 2005,2006 International Business Machines Corporation. + */ + +#ifndef __XEN_PUBLIC_ACM_OPS_H__ +#define __XEN_PUBLIC_ACM_OPS_H__ + +#include "../xen.h" +#include "acm.h" + +/* + * Make sure you increment the interface version whenever you modify this file! + * This makes sure that old versions of acm tools will stop working in a + * well-defined way (rather than crashing the machine, for instance). + */ +#define ACM_INTERFACE_VERSION 0xAAAA000A + +/************************************************************************/ + +/* + * Prototype for this hypercall is: + * int acm_op(int cmd, void *args) + * @cmd == ACMOP_??? (access control module operation). + * @args == Operation-specific extra arguments (NULL if none). + */ + + +#define ACMOP_setpolicy 1 +struct acm_setpolicy { + /* IN */ + XEN_GUEST_HANDLE_64(void) pushcache; + uint32_t pushcache_size; +}; + + +#define ACMOP_getpolicy 2 +struct acm_getpolicy { + /* IN */ + XEN_GUEST_HANDLE_64(void) pullcache; + uint32_t pullcache_size; +}; + + +#define ACMOP_dumpstats 3 +struct acm_dumpstats { + /* IN */ + XEN_GUEST_HANDLE_64(void) pullcache; + uint32_t pullcache_size; +}; + + +#define ACMOP_getssid 4 +#define ACM_GETBY_ssidref 1 +#define ACM_GETBY_domainid 2 +struct acm_getssid { + /* IN */ + uint32_t get_ssid_by; /* ACM_GETBY_* */ + union { + domaintype_t domainid; + ssidref_t ssidref; + } id; + XEN_GUEST_HANDLE_64(void) ssidbuf; + uint32_t ssidbuf_size; +}; + +#define ACMOP_getdecision 5 +struct acm_getdecision { + /* IN */ + uint32_t get_decision_by1; /* ACM_GETBY_* */ + uint32_t get_decision_by2; /* ACM_GETBY_* */ + union { + domaintype_t domainid; + ssidref_t ssidref; + } id1; + union { + domaintype_t domainid; + ssidref_t ssidref; + } id2; + uint32_t hook; + /* OUT */ + uint32_t acm_decision; +}; + + +#define ACMOP_chgpolicy 6 +struct acm_change_policy { + /* IN */ + XEN_GUEST_HANDLE_64(void) policy_pushcache; + uint32_t policy_pushcache_size; + XEN_GUEST_HANDLE_64(void) del_array; + uint32_t delarray_size; + XEN_GUEST_HANDLE_64(void) chg_array; + uint32_t chgarray_size; + /* OUT */ + /* array with error code */ + XEN_GUEST_HANDLE_64(void) err_array; + uint32_t errarray_size; +}; + +#define ACMOP_relabeldoms 7 +struct acm_relabel_doms { + /* IN */ + XEN_GUEST_HANDLE_64(void) relabel_map; + uint32_t relabel_map_size; + /* OUT */ + XEN_GUEST_HANDLE_64(void) err_array; + uint32_t errarray_size; +}; + +/* future interface to Xen */ +struct xen_acmctl { + uint32_t cmd; + uint32_t interface_version; + union { + struct acm_setpolicy setpolicy; + struct acm_getpolicy getpolicy; + struct acm_dumpstats dumpstats; + struct acm_getssid getssid; + struct acm_getdecision getdecision; + struct acm_change_policy change_policy; + struct acm_relabel_doms relabel_doms; + } u; +}; + +typedef struct xen_acmctl xen_acmctl_t; +DEFINE_XEN_GUEST_HANDLE(xen_acmctl_t); + +#endif /* __XEN_PUBLIC_ACM_OPS_H__ */ + +/* + * Local variables: + * mode: C + * c-set-style: "BSD" + * c-basic-offset: 4 + * tab-width: 4 + * indent-tabs-mode: nil + * End: + */ diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/include/xen/sched.h --- a/xen/include/xen/sched.h Fri Aug 31 11:41:49 2007 +0100 +++ b/xen/include/xen/sched.h Fri Aug 31 12:05:07 2007 +0100 @@ -10,7 +10,7 @@ #include <public/xen.h> #include <public/domctl.h> #include <public/vcpu.h> -#include <public/acm.h> +#include <public/xsm/acm.h> #include <xen/time.h> #include <xen/timer.h> #include <xen/grant_table.h> @@ -63,6 +63,9 @@ struct evtchn u16 pirq; /* state == ECS_PIRQ */ u16 virq; /* state == ECS_VIRQ */ } u; +#ifdef FLASK_ENABLE + void *ssid; +#endif }; int evtchn_init(struct domain *d); diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/include/xsm/acm/acm_core.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/xen/include/xsm/acm/acm_core.h Fri Aug 31 12:05:07 2007 +0100 @@ -0,0 +1,196 @@ +/**************************************************************** + * acm_core.h + * + * Copyright (C) 2005 IBM Corporation + * + * Author: + * Reiner Sailer <sailer@xxxxxxxxxxxxxx> + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation, version 2 of the + * License. + * + * sHype header file describing core data types and constants + * for the access control module and relevant policies + * + */ + +#ifndef _ACM_CORE_H +#define _ACM_CORE_H + +#include <xen/spinlock.h> +#include <xen/list.h> +#include <public/xsm/acm.h> +#include <public/xsm/acm_ops.h> +#include <xsm/acm/acm_endian.h> + +#define ACM_DEFAULT_SECURITY_POLICY \ + ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY + +/* Xen-internal representation of the binary policy */ +struct acm_binary_policy { + char *policy_reference_name; + u16 primary_policy_code; + u16 secondary_policy_code; + struct acm_policy_version xml_pol_version; +}; + +struct chwall_binary_policy { + u32 max_types; + u32 max_ssidrefs; + u32 max_conflictsets; + domaintype_t *ssidrefs; /* [max_ssidrefs][max_types] */ + domaintype_t *conflict_aggregate_set; /* [max_types] */ + domaintype_t *running_types; /* [max_types] */ + domaintype_t *conflict_sets; /* [max_conflictsets][max_types]*/ +}; + +struct ste_binary_policy { + u32 max_types; + u32 max_ssidrefs; + domaintype_t *ssidrefs; /* [max_ssidrefs][max_types] */ + atomic_t ec_eval_count, gt_eval_count; + atomic_t ec_denied_count, gt_denied_count; + atomic_t ec_cachehit_count, gt_cachehit_count; +}; + +/* global acm policy */ +extern u16 acm_active_security_policy; +extern struct acm_binary_policy acm_bin_pol; +extern struct chwall_binary_policy chwall_bin_pol; +extern struct ste_binary_policy ste_bin_pol; +/* use the lock when reading / changing binary policy ! */ +extern rwlock_t acm_bin_pol_rwlock; +extern rwlock_t ssid_list_rwlock; + +/* subject and object type definitions */ +#define ACM_DATATYPE_domain 1 + +/* defines number of access decisions to other domains can be cached + * one entry per domain, TE does not distinguish evtchn or grant_table */ +#define ACM_TE_CACHE_SIZE 8 +#define ACM_STE_valid 0 +#define ACM_STE_free 1 + +/* cache line: + * if cache_line.valid==ACM_STE_valid, then + * STE decision is cached as "permitted" + * on domain cache_line.id + */ +struct acm_ste_cache_line { + int valid; /* ACM_STE_* */ + domid_t id; +}; + +/* general definition of a subject security id */ +struct acm_ssid_domain { + struct list_head node; /* all are chained together */ + int datatype; /* type of subject (e.g., partition): ACM_DATATYPE_* */ + ssidref_t ssidref; /* combined security reference */ + ssidref_t old_ssidref; /* holds previous value of ssidref during relabeling */ + void *primary_ssid; /* primary policy ssid part (e.g. chinese wall) */ + void *secondary_ssid; /* secondary policy ssid part (e.g. type enforcement) */ + struct domain *subject;/* backpointer to subject structure */ + domid_t domainid; /* replicate id */ +}; + +/* chinese wall ssid type */ +struct chwall_ssid { + ssidref_t chwall_ssidref; +}; + +/* simple type enforcement ssid type */ +struct ste_ssid { + ssidref_t ste_ssidref; + struct acm_ste_cache_line ste_cache[ACM_TE_CACHE_SIZE]; /* decision cache */ +}; + +/* macros to access ssidref for primary / secondary policy + * primary ssidref = lower 16 bit + * secondary ssidref = higher 16 bit + */ +#define ACM_PRIMARY(ssidref) \ + ((ssidref) & 0xffff) + +#define ACM_SECONDARY(ssidref) \ + ((ssidref) >> 16) + +#define GET_SSIDREF(POLICY, ssidref) \ + ((POLICY) == acm_bin_pol.primary_policy_code) ? \ + ACM_PRIMARY(ssidref) : ACM_SECONDARY(ssidref) + +/* macros to access ssid pointer for primary / secondary policy */ +#define GET_SSIDP(POLICY, ssid) \ + ((POLICY) == acm_bin_pol.primary_policy_code) ? \ + ((ssid)->primary_ssid) : ((ssid)->secondary_ssid) + +#define ACM_INVALID_SSIDREF (0xffffffff) + +struct acm_sized_buffer +{ + uint32_t *array; + uint num_items; + uint position; +}; + +static inline int acm_array_append_tuple(struct acm_sized_buffer *buf, + uint32_t a, uint32_t b) +{ + uint i; + if (buf == NULL) + return 0; + + i = buf->position; + + if ((i + 2) > buf->num_items) + return 0; + + buf->array[i] = cpu_to_be32(a); + buf->array[i+1] = cpu_to_be32(b); + buf->position += 2; + return 1; +} + +/* protos */ +int acm_init_domain_ssid(struct domain *, ssidref_t ssidref); +void acm_free_domain_ssid(struct acm_ssid_domain *ssid); +int acm_init_binary_policy(u32 policy_code); +int acm_set_policy(XEN_GUEST_HANDLE_64(void) buf, u32 buf_size); +int do_acm_set_policy(void *buf, u32 buf_size, int is_bootpolicy, + struct acm_sized_buffer *, struct acm_sized_buffer *, + struct acm_sized_buffer *); +int acm_get_policy(XEN_GUEST_HANDLE_64(void) buf, u32 buf_size); +int acm_dump_statistics(XEN_GUEST_HANDLE_64(void) buf, u16 buf_size); +int acm_get_ssid(ssidref_t ssidref, XEN_GUEST_HANDLE_64(void) buf, u16 buf_size); +int acm_get_decision(ssidref_t ssidref1, ssidref_t ssidref2, u32 hook); +int acm_set_policy_reference(u8 * buf, u32 buf_size); +int acm_dump_policy_reference(u8 *buf, u32 buf_size); +int acm_change_policy(struct acm_change_policy *); +int acm_relabel_domains(struct acm_relabel_doms *); +int do_chwall_init_state_curr(struct acm_sized_buffer *); +int do_ste_init_state_curr(struct acm_sized_buffer *); + +/* variables */ +extern ssidref_t dom0_chwall_ssidref; +extern ssidref_t dom0_ste_ssidref; +#define ACM_MAX_NUM_TYPES (256) + +/* traversing the list of ssids */ +extern struct list_head ssid_list; +#define for_each_acmssid( N ) \ + for ( N = (struct acm_ssid_domain *)ssid_list.next; \ + N != (struct acm_ssid_domain *)&ssid_list; \ + N = (struct acm_ssid_domain *)N->node.next ) + +#endif + +/* + * Local variables: + * mode: C + * c-set-style: "BSD" + * c-basic-offset: 4 + * tab-width: 4 + * indent-tabs-mode: nil + * End: + */ diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/include/xsm/acm/acm_endian.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/xen/include/xsm/acm/acm_endian.h Fri Aug 31 12:05:07 2007 +0100 @@ -0,0 +1,69 @@ +/**************************************************************** + * acm_endian.h + * + * Copyright (C) 2005 IBM Corporation + * + * Author: + * Stefan Berger <stefanb@xxxxxxxxxxxxxx> + * + * Contributions: + * Reiner Sailer <sailer@xxxxxxxxxxxxxx> + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation, version 2 of the + * License. + * + * sHype header file defining endian-dependent functions for the + * big-endian policy interface + * + */ + +#ifndef _ACM_ENDIAN_H +#define _ACM_ENDIAN_H + +#include <asm/byteorder.h> + +static inline void arrcpy16(u16 *dest, const u16 *src, size_t n) +{ + unsigned int i; + for ( i = 0; i < n; i++ ) + dest[i] = cpu_to_be16(src[i]); +} + +static inline void arrcpy32(u32 *dest, const u32 *src, size_t n) +{ + unsigned int i; + for ( i = 0; i < n; i++ ) + dest[i] = cpu_to_be32(src[i]); +} + +static inline void arrcpy( + void *dest, const void *src, unsigned int elsize, size_t n) +{ + switch ( elsize ) + { + case sizeof(u16): + arrcpy16((u16 *)dest, (u16 *)src, n); + break; + + case sizeof(u32): + arrcpy32((u32 *)dest, (u32 *)src, n); + break; + + default: + memcpy(dest, src, elsize*n); + } +} + +#endif + +/* + * Local variables: + * mode: C + * c-set-style: "BSD" + * c-basic-offset: 4 + * tab-width: 4 + * indent-tabs-mode: nil + * End: + */ diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/include/xsm/acm/acm_hooks.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/xen/include/xsm/acm/acm_hooks.h Fri Aug 31 12:05:07 2007 +0100 @@ -0,0 +1,349 @@ +/**************************************************************** + * acm_hooks.h + * + * Copyright (C) 2005 IBM Corporation + * + * Author: + * Reiner Sailer <sailer@xxxxxxxxxxxxxx> + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation, version 2 of the + * License. + * + * acm header file implementing the global (policy-independent) + * sHype hooks that are called throughout Xen. + * + */ + +#ifndef _ACM_HOOKS_H +#define _ACM_HOOKS_H + +#include <xen/config.h> +#include <xen/errno.h> +#include <xen/types.h> +#include <xen/lib.h> +#include <xen/delay.h> +#include <xen/sched.h> +#include <xen/multiboot.h> +#include <public/xsm/acm.h> +#include <xsm/acm/acm_core.h> +#include <public/domctl.h> +#include <public/event_channel.h> +#include <asm/current.h> + +/* + * HOOK structure and meaning (justifies a few words about our model): + * + * General idea: every policy-controlled system operation is reflected in a + * transaction in the system's security state + * + * Keeping the security state consistent requires "atomic" transactions. + * The name of the hooks to place around policy-controlled transactions + * reflects this. If authorizations do not involve security state changes, + * then and only then POST and FAIL hooks remain empty since we don't care + * about the eventual outcome of the operation from a security viewpoint. + * + * PURPOSE of hook types: + * ====================== + * PRE-Hooks + * a) general authorization to guard a controlled system operation + * b) prepare security state change + * (means: fail hook must be able to "undo" this) + * + * POST-Hooks + * a) commit prepared state change + * + * FAIL-Hooks + * a) roll-back prepared security state change from PRE-Hook + * + * + * PLACEMENT of hook types: + * ======================== + * PRE-Hooks must be called before a guarded/controlled system operation + * is started. They return ACM_ACCESS_PERMITTED, ACM_ACCESS_DENIED or + * error. Operation must be aborted if return is not ACM_ACCESS_PERMITTED. + * + * POST-Hooks must be called after a successful system operation. + * There is no return value: commit never fails. + * + * FAIL-Hooks must be called: + * a) if system transaction (operation) fails after calling the PRE-hook + * b) if another (secondary) policy denies access in its PRE-Hook + * (policy layering is useful but requires additional handling) + * + * Hook model from a security transaction viewpoint: + * start-sys-ops--> prepare ----succeed-----> commit --> sys-ops success + * (pre-hook) \ (post-hook) + * \ + * fail + * \ + * \ + * roll-back + * (fail-hook) + * \ + * sys-ops error + * + */ + +struct acm_operations { + /* policy management functions (must always be defined!) */ + int (*init_domain_ssid) (void **ssid, ssidref_t ssidref); + void (*free_domain_ssid) (void *ssid); + int (*dump_binary_policy) (u8 *buffer, u32 buf_size); + int (*test_binary_policy) (u8 *buffer, u32 buf_size, + int is_bootpolicy, + struct acm_sized_buffer *); + int (*set_binary_policy) (u8 *buffer, u32 buf_size); + int (*dump_statistics) (u8 *buffer, u16 buf_size); + int (*dump_ssid_types) (ssidref_t ssidref, u8 *buffer, u16 buf_size); + /* domain management control hooks (can be NULL) */ + int (*domain_create) (void *subject_ssid, ssidref_t ssidref, + domid_t domid); + void (*domain_destroy) (void *object_ssid, struct domain *d); + /* event channel control hooks (can be NULL) */ + int (*pre_eventchannel_unbound) (domid_t id1, domid_t id2); + void (*fail_eventchannel_unbound) (domid_t id1, domid_t id2); + int (*pre_eventchannel_interdomain) (domid_t id); + void (*fail_eventchannel_interdomain) (domid_t id); + /* grant table control hooks (can be NULL) */ + int (*pre_grant_map_ref) (domid_t id); + void (*fail_grant_map_ref) (domid_t id); + int (*pre_grant_setup) (domid_t id); + void (*fail_grant_setup) (domid_t id); + /* generic domain-requested decision hooks (can be NULL) */ + int (*sharing) (ssidref_t ssidref1, + ssidref_t ssidref2); + int (*authorization) (ssidref_t ssidref1, + ssidref_t ssidref2); + /* determine whether the default policy is installed */ + int (*is_default_policy) (void); +}; + +/* global variables */ +extern struct acm_operations *acm_primary_ops; +extern struct acm_operations *acm_secondary_ops; + +/* if ACM_TRACE_MODE defined, all hooks should + * print a short trace message */ +/* #define ACM_TRACE_MODE */ + +#ifdef ACM_TRACE_MODE +# define traceprintk(fmt, args...) printk(fmt,## args) +#else +# define traceprintk(fmt, args...) +#endif + + +#ifndef ACM_SECURITY + +static inline int acm_pre_eventchannel_unbound(domid_t id1, domid_t id2) +{ return 0; } +static inline int acm_pre_eventchannel_interdomain(domid_t id) +{ return 0; } +static inline int acm_pre_grant_map_ref(domid_t id) +{ return 0; } +static inline int acm_pre_grant_setup(domid_t id) +{ return 0; } +static inline int acm_is_policy(char *buf, unsigned long len) +{ return 0; } +static inline int acm_sharing(ssidref_t ssidref1, ssidref_t ssidref2) +{ return 0; } +static inline int acm_authorization(ssidref_t ssidref1, ssidref_t ssidref2) +{ return 0; } +static inline int acm_domain_create(struct domain *d, ssidref_t ssidref) +{ return 0; } +static inline void acm_domain_destroy(struct domain *d) +{ return; } + +#define DOM0_SSIDREF 0x0 + +#else + +static inline void acm_domain_ssid_onto_list(struct acm_ssid_domain *ssid) +{ + write_lock(&ssid_list_rwlock); + list_add(&ssid->node, &ssid_list); + write_unlock(&ssid_list_rwlock); +} + +static inline void acm_domain_ssid_off_list(struct acm_ssid_domain *ssid) +{ + write_lock(&ssid_list_rwlock); + list_del(&ssid->node); + write_unlock(&ssid_list_rwlock); +} + +static inline int acm_pre_eventchannel_unbound(domid_t id1, domid_t id2) +{ + if ((acm_primary_ops->pre_eventchannel_unbound != NULL) && + acm_primary_ops->pre_eventchannel_unbound(id1, id2)) + return ACM_ACCESS_DENIED; + else if ((acm_secondary_ops->pre_eventchannel_unbound != NULL) && + acm_secondary_ops->pre_eventchannel_unbound(id1, id2)) { + /* roll-back primary */ + if (acm_primary_ops->fail_eventchannel_unbound != NULL) + acm_primary_ops->fail_eventchannel_unbound(id1, id2); + return ACM_ACCESS_DENIED; + } else + return ACM_ACCESS_PERMITTED; +} + +static inline int acm_pre_eventchannel_interdomain(domid_t id) +{ + if ((acm_primary_ops->pre_eventchannel_interdomain != NULL) && + acm_primary_ops->pre_eventchannel_interdomain(id)) + return ACM_ACCESS_DENIED; + else if ((acm_secondary_ops->pre_eventchannel_interdomain != NULL) && + acm_secondary_ops->pre_eventchannel_interdomain(id)) { + /* roll-back primary */ + if (acm_primary_ops->fail_eventchannel_interdomain != NULL) + acm_primary_ops->fail_eventchannel_interdomain(id); + return ACM_ACCESS_DENIED; + } else + return ACM_ACCESS_PERMITTED; +} + + +static inline int acm_pre_grant_map_ref(domid_t id) +{ + if ( (acm_primary_ops->pre_grant_map_ref != NULL) && + acm_primary_ops->pre_grant_map_ref(id) ) + { + return ACM_ACCESS_DENIED; + } + else if ( (acm_secondary_ops->pre_grant_map_ref != NULL) && + acm_secondary_ops->pre_grant_map_ref(id) ) + { + /* roll-back primary */ + if ( acm_primary_ops->fail_grant_map_ref != NULL ) + acm_primary_ops->fail_grant_map_ref(id); + return ACM_ACCESS_DENIED; + } + else + { + return ACM_ACCESS_PERMITTED; + } +} + +static inline int acm_pre_grant_setup(domid_t id) +{ + if ( (acm_primary_ops->pre_grant_setup != NULL) && + acm_primary_ops->pre_grant_setup(id) ) + { + return ACM_ACCESS_DENIED; + } + else if ( (acm_secondary_ops->pre_grant_setup != NULL) && + acm_secondary_ops->pre_grant_setup(id) ) + { + /* roll-back primary */ + if (acm_primary_ops->fail_grant_setup != NULL) + acm_primary_ops->fail_grant_setup(id); + return ACM_ACCESS_DENIED; + } + else + { + return ACM_ACCESS_PERMITTED; + } +} + + +static inline void acm_domain_destroy(struct domain *d) +{ + void *ssid = d->ssid; + if (ssid != NULL) { + if (acm_primary_ops->domain_destroy != NULL) + acm_primary_ops->domain_destroy(ssid, d); + if (acm_secondary_ops->domain_destroy != NULL) + acm_secondary_ops->domain_destroy(ssid, d); + /* free security ssid for the destroyed domain (also if null policy */ + acm_domain_ssid_off_list(ssid); + acm_free_domain_ssid((struct acm_ssid_domain *)(ssid)); + } +} + + +static inline int acm_domain_create(struct domain *d, ssidref_t ssidref) +{ + void *subject_ssid = current->domain->ssid; + domid_t domid = d->domain_id; + int rc; + + read_lock(&acm_bin_pol_rwlock); + /* + To be called when a domain is created; returns '0' if the + domain is allowed to be created, != '0' if not. + */ + rc = acm_init_domain_ssid(d, ssidref); + if (rc != ACM_OK) + goto error_out; + + if ((acm_primary_ops->domain_create != NULL) && + acm_primary_ops->domain_create(subject_ssid, ssidref, domid)) { + rc = ACM_ACCESS_DENIED; + } else if ((acm_secondary_ops->domain_create != NULL) && + acm_secondary_ops->domain_create(subject_ssid, ssidref, + domid)) { + /* roll-back primary */ + if (acm_primary_ops->domain_destroy != NULL) + acm_primary_ops->domain_destroy(d->ssid, d); + rc = ACM_ACCESS_DENIED; + } + + if ( rc == ACM_OK ) + { + acm_domain_ssid_onto_list(d->ssid); + } else { + acm_free_domain_ssid(d->ssid); + } + +error_out: + read_unlock(&acm_bin_pol_rwlock); + return rc; +} + + +static inline int acm_sharing(ssidref_t ssidref1, ssidref_t ssidref2) +{ + if ((acm_primary_ops->sharing != NULL) && + acm_primary_ops->sharing(ssidref1, ssidref2)) + return ACM_ACCESS_DENIED; + else if ((acm_secondary_ops->sharing != NULL) && + acm_secondary_ops->sharing(ssidref1, ssidref2)) { + return ACM_ACCESS_DENIED; + } else + return ACM_ACCESS_PERMITTED; +} + + +static inline int acm_authorization(ssidref_t ssidref1, ssidref_t ssidref2) +{ + if ((acm_primary_ops->authorization != NULL) && + acm_primary_ops->authorization(ssidref1, ssidref2)) + return ACM_ACCESS_DENIED; + else if ((acm_secondary_ops->authorization != NULL) && + acm_secondary_ops->authorization(ssidref1, ssidref2)) { + return ACM_ACCESS_DENIED; + } else + return ACM_ACCESS_PERMITTED; +} + + +/* Return true iff buffer has an acm policy magic number. */ +extern int acm_is_policy(char *buf, unsigned long len); + +#define DOM0_SSIDREF (dom0_ste_ssidref << 16 | dom0_chwall_ssidref) + +#endif + +#endif + +/* + * Local variables: + * mode: C + * c-set-style: "BSD" + * c-basic-offset: 4 + * tab-width: 4 + * indent-tabs-mode: nil + * End: + */ diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/xsm/acm/acm_chinesewall_hooks.c --- a/xen/xsm/acm/acm_chinesewall_hooks.c Fri Aug 31 11:41:49 2007 +0100 +++ b/xen/xsm/acm/acm_chinesewall_hooks.c Fri Aug 31 12:05:07 2007 +0100 @@ -36,12 +36,11 @@ #include <xen/lib.h> #include <xen/delay.h> #include <xen/sched.h> -#include <public/acm.h> +#include <public/xsm/acm.h> #include <asm/atomic.h> -#include <acm/acm_core.h> -#include <acm/acm_hooks.h> -#include <acm/acm_endian.h> -#include <acm/acm_core.h> +#include <xsm/acm/acm_core.h> +#include <xsm/acm/acm_hooks.h> +#include <xsm/acm/acm_endian.h> ssidref_t dom0_chwall_ssidref = 0x0001; diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/xsm/acm/acm_core.c --- a/xen/xsm/acm/acm_core.c Fri Aug 31 11:41:49 2007 +0100 +++ b/xen/xsm/acm/acm_core.c Fri Aug 31 12:05:07 2007 +0100 @@ -1,4 +1,4 @@ -/**************************************************************** +#/**************************************************************** * acm_core.c * * Copyright (C) 2005 IBM Corporation @@ -29,16 +29,16 @@ #include <xen/delay.h> #include <xen/sched.h> #include <xen/multiboot.h> -#include <acm/acm_hooks.h> -#include <acm/acm_endian.h> +#include <xsm/acm/acm_hooks.h> +#include <xsm/acm/acm_endian.h> #include <xsm/xsm.h> /* debug: - * include/acm/acm_hooks.h defines a constant ACM_TRACE_MODE; + * include/xsm/acm/acm_hooks.h defines a constant ACM_TRACE_MODE; * define/undefine this constant to receive / suppress any * security hook debug output of sHype * - * include/public/acm.h defines a constant ACM_DEBUG + * include/public/xsm/acm.h defines a constant ACM_DEBUG * define/undefine this constant to receive non-hook-related * debug output. */ diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/xsm/acm/acm_null_hooks.c --- a/xen/xsm/acm/acm_null_hooks.c Fri Aug 31 11:41:49 2007 +0100 +++ b/xen/xsm/acm/acm_null_hooks.c Fri Aug 31 12:05:07 2007 +0100 @@ -12,7 +12,7 @@ * License. */ -#include <acm/acm_hooks.h> +#include <xsm/acm/acm_hooks.h> static int null_init_domain_ssid(void **ssid, ssidref_t ssidref) diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/xsm/acm/acm_ops.c --- a/xen/xsm/acm/acm_ops.c Fri Aug 31 11:41:49 2007 +0100 +++ b/xen/xsm/acm/acm_ops.c Fri Aug 31 12:05:07 2007 +0100 @@ -18,14 +18,14 @@ #include <xen/types.h> #include <xen/lib.h> #include <xen/mm.h> -#include <public/acm.h> -#include <public/acm_ops.h> +#include <public/xsm/acm.h> +#include <public/xsm/acm_ops.h> #include <xen/sched.h> #include <xen/event.h> #include <xen/trace.h> #include <xen/console.h> #include <xen/guest_access.h> -#include <acm/acm_hooks.h> +#include <xsm/acm/acm_hooks.h> #ifndef ACM_SECURITY diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/xsm/acm/acm_policy.c --- a/xen/xsm/acm/acm_policy.c Fri Aug 31 11:41:49 2007 +0100 +++ b/xen/xsm/acm/acm_policy.c Fri Aug 31 12:05:07 2007 +0100 @@ -28,10 +28,10 @@ #include <xen/sched.h> #include <xen/guest_access.h> #include <public/xen.h> -#include <acm/acm_core.h> -#include <public/acm_ops.h> -#include <acm/acm_hooks.h> -#include <acm/acm_endian.h> +#include <xsm/acm/acm_core.h> +#include <public/xsm/acm_ops.h> +#include <xsm/acm/acm_hooks.h> +#include <xsm/acm/acm_endian.h> #include <asm/current.h> static int acm_check_deleted_ssidrefs(struct acm_sized_buffer *dels, diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/xsm/acm/acm_simple_type_enforcement_hooks.c --- a/xen/xsm/acm/acm_simple_type_enforcement_hooks.c Fri Aug 31 11:41:49 2007 +0100 +++ b/xen/xsm/acm/acm_simple_type_enforcement_hooks.c Fri Aug 31 12:05:07 2007 +0100 @@ -28,10 +28,10 @@ #include <xen/lib.h> #include <asm/types.h> #include <asm/current.h> -#include <acm/acm_hooks.h> #include <asm/atomic.h> -#include <acm/acm_endian.h> -#include <acm/acm_core.h> +#include <xsm/acm/acm_hooks.h> +#include <xsm/acm/acm_endian.h> +#include <xsm/acm/acm_core.h> ssidref_t dom0_ste_ssidref = 0x0001; diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/xsm/acm/acm_xsm_hooks.c --- a/xen/xsm/acm/acm_xsm_hooks.c Fri Aug 31 11:41:49 2007 +0100 +++ b/xen/xsm/acm/acm_xsm_hooks.c Fri Aug 31 12:05:07 2007 +0100 @@ -20,34 +20,36 @@ */ #include <xsm/xsm.h> -#include <acm/acm_hooks.h> -#include <public/acm.h> +#include <xsm/acm/acm_hooks.h> +#include <public/xsm/acm.h> -static int acm_grant_mapref (struct domain *ld, struct domain *rd, - uint32_t flags) +static int acm_grant_mapref( + struct domain *ld, struct domain *rd, uint32_t flags) { domid_t id = rd->domain_id; return acm_pre_grant_map_ref(id); } -static int acm_evtchn_unbound (struct domain *d1, struct evtchn *chn1, domid_t id2) +static int acm_evtchn_unbound( + struct domain *d1, struct evtchn *chn1, domid_t id2) { domid_t id1 = d1->domain_id; return acm_pre_eventchannel_unbound(id1, id2); } -static int acm_evtchn_interdomain (struct domain *d1, struct evtchn *chn1, - struct domain *d2, struct evtchn *chn2) +static int acm_evtchn_interdomain( + struct domain *d1, struct evtchn *chn1, + struct domain *d2, struct evtchn *chn2) { domid_t id2 = d2->domain_id; return acm_pre_eventchannel_interdomain(id2); } -static void acm_security_domaininfo (struct domain *d, - struct xen_domctl_getdomaininfo *info) +static void acm_security_domaininfo( + struct domain *d, struct xen_domctl_getdomaininfo *info) { if ( d->ssid != NULL ) info->ssidref = ((struct acm_ssid_domain *)d->ssid)->ssidref; _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-changelog

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.